MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

txt version generated

pull/19/merge
Alexandre Dulaunoy 2018-08-03 12:26:13 +02:00
parent 6de816c8cf
commit 668d838ec0
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 216 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

320
misp-galaxy-format/raw.md.txt
View File

@ -31,7 +31,7 @@ Status of This Memo
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
@ -47,7 +47,7 @@ Copyright Notice
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
@ -71,11 +71,11 @@ Table of Contents
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.3. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
4. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Normative References . . . . . . . . . . . . . . . . . . 4 4.1. Normative References . . . . . . . . . . . . . . . . . . 7
4.2. Informative References . . . . . . . . . . . . . . . . . 5 4.2. Informative References . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
@ -131,16 +131,17 @@ Internet-Draft MISP galaxy format April 2018
object reference and MUST be present. The description is represented object reference and MUST be present. The description is represented
as a string and MUST be present. The uuid is represented as a string as a string and MUST be present. The uuid is represented as a string
and MUST be present. The version is represented as a decimal and and MUST be present. The version is represented as a decimal and
MUST be present. The source is represented as a string and MUST be MUST be present. The type is represented as a string and MUST be
present. Authors are represented as an array containing one or more present and MUST match the name of the galaxy file. The source is
authors and MUST be present. represented as a string and MUST be present. Authors are represented
as an array containing one or more authors and MUST be present.
Values are represented as an array containing one or more values and Values are represented as an array containing one or more values and
MUST be present. Values defines all values available in the galaxy. MUST be present. Values defines all values available in the galaxy.
2.2. values 2.2. values
The values array contains one or more JSON objects which represents The values array contains one or more JSON objects which represent
all the possible values in the galaxy. The JSON object contains four all the possible values in the galaxy. The JSON object contains four
fields: value, description, uuid and meta. The value is represented fields: value, description, uuid and meta. The value is represented
as a string and MUST be present. The description is represented as a as a string and MUST be present. The description is represented as a
@ -152,10 +153,11 @@ Internet-Draft MISP galaxy format April 2018
2.3. meta 2.3. meta
Meta contains a list of custom defined JSON key value pairs. Users Meta contains a list of custom defined JSON key value pairs. Users
SHOULD reuse commonly used keys such as 'properties, complexity, SHOULD reuse commonly used keys such as properties, complexity,
effectiveness, country, possible_issues, colour, motive, impact, effectiveness, country, possible_issues, colour, motive, impact,
refs, synonyms, derivated_from, status, date, encryption, extensions, refs, synonyms, derivated_from, status, date, encryption, extensions,
ransomnotes' wherever applicable. ransomnotes, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-
type-of-incident, cfr-target-category wherever applicable.
properties is used to provide clusters with additional properties. properties is used to provide clusters with additional properties.
Properties are represented as an array containing one or more strings Properties are represented as an array containing one or more strings
@ -163,13 +165,29 @@ Internet-Draft MISP galaxy format April 2018
Dulaunoy, et al. Expires October 3, 2018 [Page 3] Dulaunoy, et al. Expires October 3, 2018 [Page 3]
Internet-Draft MISP galaxy format April 2018 Internet-Draft MISP galaxy format April 2018
derivated_from, refs, synonyms SHALL be used to give further
informations. refs is represented as an array containing one or more
strings and SHALL be present. synonyms is represented as an array
containing one or more strings and SHALL be present. derivated_from
is represented as an array containing one or more strings and SHALL
be present.
date, status MAY be used to give time information about an cluster.
date is represented as a string describing a time or period and SHALL
be present. status is represented as a string describing the current
status of the clusters. It MAY also describe a time or period and
SHALL be present.
colour fields MAY be used at predicates or values level to set a
specify colour that MAY be used by the implementation. The colour
field is described as an RGB colour fill in hexadecimal
representation.
complexity, effectiveness, impact, possible_issues MAY be used to complexity, effectiveness, impact, possible_issues MAY be used to
give further information in preventive-measure galaxy. complexity is give further information in preventive-measure galaxy. complexity is
represented by an enumerated value from a fixed vocabulary and SHALL represented by an enumerated value from a fixed vocabulary and SHALL
@ -178,44 +196,26 @@ Internet-Draft MISP galaxy format April 2018
enumerated value from a fixed vocabulary and SHALL be present. enumerated value from a fixed vocabulary and SHALL be present.
possible_issues is represented as a string and SHOULD be present. possible_issues is represented as a string and SHOULD be present.
country, motive MAY be used to give further information in threat- Example use of the complexity, effectiveness, impact, possible_issues
actor galaxy. country is represented as a string and SHOULD be fields in the preventive-measure galaxy:
present. motive is represented as a string and SHOULD be present.
colour fields MAY be used at predicates or values level to set a
specify colour that MAY be used by the implementation. The colour
field is described as an RGB colour fill in hexadecimal
representation.
encryption, extensions, ransomnotes MAY be used to give further
information in ransomware galaxy. encryption is represented as a
string and SHALL be present. extensions is represented as an array
containing one or more strings and SHALL be present. ransomnotes is
represented as an array containing one or more strings ans SHALL be
present.
date, status MAY be used to give time information about an cluster.
date is represented as a string describing a time or period and SHALL
be present. status is represented as a string describing the current
status of the clusters. It MAY also describe a time or period and
SHALL be present.
derivated_from, refs, synonyms SHALL be used to give further
informations. refs is represented as an containing one or ore string
and SHALL be present. synonyms is represented as an containing one or
ore string and SHALL be present. derivated_from is represented as an
containing one or ore string and SHALL be present.
3. Acknowledgements
The authors wish to thank all the MISP community who are supporting
the creation of open standards in threat intelligence sharing.
4. References
4.1. Normative References
{
"meta": {
"refs": [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Administrative VBS scripts on Workstations"
},
"value": "Disable WSH",
"description": "Disable Windows Script Host",
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
}
@ -226,28 +226,181 @@ Dulaunoy, et al. Expires October 3, 2018 [Page 4]
Internet-Draft MISP galaxy format April 2018 Internet-Draft MISP galaxy format April 2018
country, motive MAY be used to give further information in threat-
actor galaxy. country is represented as a string and SHOULD be
present. motive is represented as a string and SHOULD be present.
Example use of the country, motive fields in the threat-actor galaxy:
{
"meta": {
"country": "CN",
"synonyms": [
"APT14",
"APT 14",
"QAZTeam",
"ALUMINUM"
],
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
],
"motive": "Espionage"
},
"value": "Anchor Panda",
"description": "PLA Navy",
"uuid": "c82c904f-b3b4-40a2-bf0d-008912953104"
}
encryption, extensions, ransomnotes MAY be used to give further
information in ransomware galaxy. encryption is represented as a
string and SHALL be present. extensions is represented as an array
containing one or more strings and SHALL be present. ransomnotes is
represented as an array containing one or more strings ans SHALL be
present.
Example use of the encryption, extensions, ransomnotes fields in the
ransomware galaxy:
Dulaunoy, et al. Expires October 3, 2018 [Page 5]
Internet-Draft MISP galaxy format April 2018
{
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/",
"https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html"
],
"ransomnotes": [
"https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg",
"===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.",
"# !!!HELP_FILE!!! #.txt"
],
"encryption": "AES-256 + RSA-1024",
"extensions": [
".REVENGE"
],
"date": "March 2017"
},
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant",
"value": "Revenge Ransomware",
"uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e"
}
source-uuid, target-uuid SHALL be used to describe relationships.
source-uuid and target-uuid represent the Universally Unique
IDentifier (UUID) [RFC4122] of the value reference. source-uuid and
target-uuid MUST be preserved.
Example use of the source-uuid, target-uuid fields in the mitre-
enterprise-attack-relationship galaxy:
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78"
},
"uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633",
"value": "menuPass (G0045) uses EvilGrab (S0152)"
}
cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-
incident and cfr-target-category MAY be used to report information
gathered from CFR's (Council on Foreign Relations) Cyber Operations
Tracker. cfr-suspected-victims is represented as an array containing
one or more strings and SHALL be present. cfr-suspected-state-sponsor
is represented as a string and SHALL be present. cfr-type-of-incident
is represented as a string and SHALL be present. cfr-target-category
is represented as an array containing one or more strings ans SHALL
be present.
Dulaunoy, et al. Expires October 3, 2018 [Page 6]
Internet-Draft MISP galaxy format April 2018
Example use of the cfr-suspected-victims, cfr-suspected-state-
sponsor, cfr-type-of-incident, cfr-target-category fields in the
threat-actor galaxy:
{
"meta": {
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html",
"https://www.cfr.org/interactive/cyber-operations/apt-16"
],
"cfr-suspected-victims": [
"Japan",
"Taiwan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
},
"value": "APT 16",
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"
},
3. Acknowledgements
The authors wish to thank all the MISP community who are supporting
the creation of open standards in threat intelligence sharing.
4. References
4.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005, <https://www.rfc- DOI 10.17487/RFC4122, July 2005,
editor.org/info/rfc4122>. <https://www.rfc-editor.org/info/rfc4122>.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, JavaScript Object Notation (JSON)", RFC 4627,
DOI 10.17487/RFC4627, July 2006, <https://www.rfc- DOI 10.17487/RFC4627, July 2006,
editor.org/info/rfc4627>. <https://www.rfc-editor.org/info/rfc4627>.
Dulaunoy, et al. Expires October 3, 2018 [Page 7]
Internet-Draft MISP galaxy format April 2018
4.2. Informative References 4.2. Informative References
[MISP-G] MISP, , "MISP Galaxy -", <https://github.com/MISP/misp- [MISP-G] MISP, "MISP Galaxy -",
galaxy>. <https://github.com/MISP/misp-galaxy>.
[MISP-P] MISP, , "MISP Project - Malware Information Sharing [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform
Platform and Threat Sharing", <https://github.com/MISP>. and Threat Sharing", <https://github.com/MISP>.
Authors' Addresses Authors' Addresses
@ -271,17 +424,6 @@ Authors' Addresses
Email: andras.iklody@circl.lu Email: andras.iklody@circl.lu
Dulaunoy, et al. Expires October 3, 2018 [Page 5]
Internet-Draft MISP galaxy format April 2018
Deborah Servili Deborah Servili
Computer Incident Response Center Luxembourg Computer Incident Response Center Luxembourg
16, bd d'Avranches 16, bd d'Avranches
@ -303,34 +445,4 @@ Internet-Draft MISP galaxy format April 2018
Dulaunoy, et al. Expires October 3, 2018 [Page 8]
Dulaunoy, et al. Expires October 3, 2018 [Page 6]